Encryption has become much more usable in recent years, to the point where a company of nearly any size can rely on simple data encryption to protect sensitive data and, in some cases, help meet compliance needs as well.

In this presentation, IT security professional Mike Chapple provides a brief introduction of encryption technology and what it can and can't do. He also examines the state of the technology landscape, discusses different types of encryption, covers the best usage scenarios for encrypting different devices and data types, and offers a helpful enterprise encryption strategy to make encryption easier for your organization.

Applications of cryptography including disk encryption, email encryption, HTTP over SSL and VPNs.

About the presenter:Mike Chapple is an IT Security professional with the University of Notre Dame.

This presentation was originally recorded Sept. 27, 2010.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.

Enterprise encryption strategy: The path to simple data encryption

Welcome to the Search Security Webcast: Simplifying Encryption. I am Mike Chapel. Encryption can be an intimidating topic. It may bring to mind visions of mathematicians with chalk boards full of formulas and complicated security technologies. In this webcast we are going to break it down into simple terms.

We are going to talk about what encryption is, what it can and cannot do, the basics of encryption algorithms, and some simple applications of encryption. To get started, we first have to talk about what encryption is. And there is an entire field of cryptology dedicated to the study of encryption. Basically what it is is taking plain text information, clear messages, and converting them, using mathematical algorithms in a ciphertext, that is not understandable to someone who is not an intended recipient to the message. The ciphertext can only be decrypted by someone who has access to the encryption key, and this is a theoretical requirement, of course. There's a whole entire field called cryptanalysis that is dedicated to breaking encryption schemes. It is very important that you select a strong, credible encryption algorithm, and that you carefully protect your key when you are using encryption. We will talk more about that later on.

Encryption is one of the strongest tools in the security toolkit. It can provide several major benefits. But it is important to recognize what encryption can do and what it cannot do. There are two major functions encryption can perform. First, it can protect data in transit, so data traveling over a network, whether it is your local network, a wireless network or the internet. It can be protected against eavesdropping with encryption, so that someone who is also on that same network, who has access to the data transiting the wire or traveling over the air, cannot read the contents of the message while it is being sent. Encryption can also protect data at rest from theft. So information stored on a laptop computer or external hard drive, for example, those physical devices are vulnerable to theft if they are left in an unsecure location. If the data on them is encrypted, however, the thief only makes away with a hardware device worth a few hundred dollars, and does not have access to the sensitive data that might be stored on it and might be worth much, much more.

Now that you understand those two things that encryption can do, it is important to remember what encryption cannot do, and that is everything else with security. Encryption is not a [panacea]. It provides protection for data at rest and data in transit. But you still have to worry about the configuration of your security devices and computers, using other security controls, such as firewalls and antivirus to protect against malicious code and also the insider threat. Remembering that someone who has access to the encryption key can bypass all of your encryption controls, so there is always that risk that an internal person will take some action against you.

Let us take a look at the four goals of cryptography. Before we do that I want to introduce you to three people. Alice, Bob and Mal. These are three characters that are commonly used in examples when we are talking about cryptography to describe the transit of a message between two people and the goals of cryptography during that communication. In this example, Alice is the sender of a message and Bob is the intended recipient. Mall is the spy, the evil person who is lurking in the background trying to gain access to that message, and bypass the goals of the cryptography.

The first goal is confidentiality. When Alice and Bob communicate with each other, they both want to make sure that the communication is secret. That is, Mal or anyone else, even if they are able to gain physical access to the message while it is in transit between them, is not able to understand what the contents of that message are. The second goal of encryption is integrity, protecting the contents of the message from alteration. Bob and Alice both know that if when Bob receives the message the message that he is looking at is the message that Alice actually sent. And that it was not altered by Mal when it was in transit.

The third goal of cryptography builds on integrity, it is called non- repudiation. And what it does is it provides Bob the ability to go one step further. In addition to him being able to prove to himself that the message he received was not altered while it was in transit. It also provides Bob with the ability to prove to other people that the message that was sent actually came from Alice, so it is evidence that he could use to prove to Charlie, the third party who is not even shown here, or a court of law for example. That the message that he is holding came from Alice and is not something that Bob could have forged himself. Finally, the fourth goal of encryption is authentication, providing evidence of identity. With this goal Alice is able to use encryption to prove her identity to Bob or to someone else.

Those are the four things we try to do with cryptography. There are two basic technical operations that we can perform using the mathematical functions of cryptography. The first of these is encryption. Encryption is again, quite simply, taking plain text, running it through an encryption function with some kind of encryption fee which you can basically think of as the password to the encryption and producing ciphertext. So an encryption function uses the super key to convert plain text into ciphertext. Once you have that ciphertext , the recipient of the message has to do something to be able to read it, and that is decryption. The decryption function takes that ciphertext , uses a decryption function with a super key to convert it back into plain text again.

There are two different types of cryptography, symmetric algorithms and asymmetric algorithms. The main difference between them, is the types of keys that are used. In symmetric cryptography both the sender and the recipient use the same key. So the same key is used for the encryption function and the decryption function to transport into plain text into the ciphertext and the ciphertext back into the plain text again. In asymmetric cryptography on the other hand, different keys are used. So both the sender and the recipient have different keys that are used for the encryption and the decryption function. The sender is the only one who knows the encryption key, and the recipient is the only person who knows the decryption key. We are going to continue to talk about this as we move through the presentation.

Let us take a deeper look at symmetric cryptography. We are going to talk about the number of keys that need to be used. In our basic example where we have Alice and Bob using symmetric cryptography, there is only one key that is used. So Alice and Bob have that shared secret key that Alice uses to encrypt the message and then Bob uses it with the decryption function to decrypt the message when he receives it. It is very straightforward. If we add a third person, Charlie, to the scenario. And everyone in this network now; Alice, Bob and Charlie want to be able to communicate privately with everyone else in the network, we have to have three different keys. Alice and Bob have to have a shared secret key that Charlie does not know, Alice and Charlie have to have a shared secret key that Bob does not know and Bob and Charlie have to have a shared secret key that the other two do not know. The three total keys are needed for the encryption.

As we expand the scenario, you can see here examples of what happens when we move from two to three, four, five, six or even seven people in the communication. The number of keys needed to provide that direct path between each of the two individuals grows very, very quickly. Here is a slide that shows you this mathematically. So the formula at the bottom of the slide; N x N -1 / 2, tells you how to take the number of people, N, who are communicating and transform it into the number of keys that are needed. So if we have a very realistic scenario in a company where you have 100 users, you would actually need 4,950 keys for each one of those users to communicate with everyone else privately. You can imagine that every time someone comes to, or leaves the organization; you have to change all of the keys that they used in order to update your security.

If we grow to a large enterprise that has 20,000 users, the scalability becomes completely unmanageable. Because now we need just about 200 million keys to allow that private communication. That is where asymmetric cryptography comes into play. As I mentioned earlier, in asymmetric cryptography each user gets a pair of keys. So every user that is in the system has a public key and a private key. The private key, as the name implies, is kept for the users use only, it is not shared with anyone else. The public key is freely distributed to everyone else in the organization or everyone else with which that person might need to communicate with. The asymmetric algorithm is set up in such a way, that anything encrypted with one key from the key pair can only be decrypted with the other key. So anyone who wants to send a user a message has access to that user's public key and can encrypt the message using that key. The user is the only one who can decrypt the message. Because he or she is the only one who actually has access to the private key. This allows for greatly enhanced scalability.

If we go back to our chart and add a new column for asymmetric cryptography, you can see here that the formula used to compute the number of keys simply takes the number of users and multiplies it by two. In our mid-size business example where we had 100 users and we would have needed almost 5,000 symmetric keys, we only need 200 asymmetric keys. As we scale to a larger enterprise where we needed 200 million keys for 20,000 users, we would only need 40,000 asymmetric keys. That is obviously a much more manageable scenario.

Now you may be asking yourself why wouldn't we use asymmetric encryption for everything? The trade off is that using this algorithm lets us have a much, much smaller number of keys takes a lot more computational power. It is a lot slower to use. Symmetric cryptography is fast but requires more keys in a larger environment, and asymmetric cryptography is slower, but lets us have much simpler key management. In a moment we will talk about some technologies that combine symmetric and asymmetric cryptography to have the benefits of both. Where we can have a smaller number of keys using asymmetric cryptography, but then we can switch over to symmetric cryptography and benefit from the enhanced speed of that method. The security of the encryption key is critical. As I mentioned earlier, it is the password, it is the secret sauce in cryptography. The algorithms are widely known to everyone in the world so the key must be very difficult to guess, just like a password. It should be chosen from a large key space, so we want to have a large number of possibilities. We want to have long keys that consist of letters, numbers, punctuation, we choose them just like we would a password. It is good to have them randomly selected so that they do not match dictionary words, and carefully guarded so that no one gains access to the key. Generally speaking, the longer the encryption key, the more secure the encryption.

There are many, many choices for encryption algorithms. Both symmetric and asymmetric, but all of these are based upon two fundamental concepts substitution and transposition. Substitution cyphers are very simple. What they do is take each letter of the message and they replace it with another letter. If you think back to the Captain Crunch decoder rings of your youth, where you had a little wheel and you knew to turn all of the A's into Q's and all of the B's into R's and so on, that is very simple substitution. Transposition is moving the letters around in a message, so a word or letter scramble. Where each letter shifts around in a predetermined pattern that can then be unscrambled. Very, very basic substitution and transposition ciphers are very easy to crack. With the Captain Crunch decoder ring, there are only 26 possible combinations, there are only 26 ways that you can set that ring for substitution encryption. However, modern encryption algorithms still use these very basic techniques, but they combine them in a very complex fashion, to provide secure cryptography. And they rely on very advanced mathematics.

We are not going to go into the details, it is not necessary when you are a user of encryption to understand the math. What is important to know is that you selected an algorithm that is mathematically sound, and has been tested and validated by the cryptographic community. What I would like to do is to show you an example. There is an encryption algorithm from the 1980's known as the Data Encryption Standard and how it works. In the picture here you see the basic operation of Data Encryption Standards, something known as the Feistel Function. And it takes text that is coming in from the top here, that is that half block that is mentioned at the top of the diagram, it takes the encryption key, it is called the sub-key in the diagram, 48 bits. And runs it through, each one of those s1 through s8 boxes is performing a substitution operation. We are performing eight sets of four substitution operations, so 32 substitution operations on a piece of the message. Then we are doing what they call in the data encryption standard permutation, the transposition of the message.

We take those 32 substitutions and we scramble them up and that is the basic operation of the data encryption standard. This operation actually happens 16 different times. As you can see, it takes the very basic building blocks of substitution and transposition, and combines them in a complex fashion. The interesting thing is that the data encryption standard is no longer considered secure. That complicated algorithm that I just showed you is not sophisticated enough to provide security for a modern environment. It is very easy to break. But there are stronger algorithms available, a few examples are the Advanced Encryption Standard, which for government use replaced the Data Encryption Standard. There is RSA public key cryptography, there is an algorithm called Blowfish and there are many others. The key to take away from this, is that it is critical that you choose an encryption algorithm that is proven; that the cryptographic community has tested, validated and vetted. When you see someone making up their own encryption algorithm or telling you that the encryption they use is proprietary and secret to their organization, that is a gigantic red flag.

Encryption algorithms are complicated, and they should never depend upon the secrecy of the algorithm to provide its security. The algorithm should be open and available for public scrutiny and tests by mathematicians. Who can validate that it is secure, there are not flaws or intentional back doors built into the algorithm to allow the developers to gain access to the information without the key. Rather, the security should always rest in the key. As long as you keep that key secure, your encryption will be secure. That is a summary of the basics of cryptography and how the technology behind cryptography works. What I would like to do now for the remainder of this webcast is talk about a few applications of cryptography. There are four specific areas that we are going to talk about. The first is disk encryption, we will talk about full and partial disk encryption. The second is the use of cryptography to secure electronic mail. The third is the use of the hyper text protocol over the secure sockets layer. Which is a very sophisticated way of talking about secure web traffic. The fourth is virtual private networks, a way you can use cryptography to securely connect to a network from a remote location.

The first example is disk encryption. Disk encryption is an example of protecting data at rest, as we talked about earlier. It uses encryption technology to protect data that is stored on a computer or any other device. You can use disk encryption for external disks, for USB devices, for anything that stores data. The primary protection that disk encryption provides, is protecting against the theft of the device. If the computer, hard drive, flash drive, whatever it is stolen, the thief who has the device only has a piece of hardware that is worth a few hundred dollars to you. They do not have access to the sensitive data that might be stored on the device. Disk encryption counters a rash of security incidences that occurred several years ago. Where before people were using encryption technology, laptops were being stolen, backup tapes were being stolen or lost from delivery trucks and organizations were being forced to report security incidents to the public where they did not even know that the data was actually compromised, but they did know that they lost control of the device. Because a thief might have been looking for a device and simply wanted to sell it at a pawn shop for a few hundred dollars, but since the data on the device was not encrypted, the company had no way of knowing who had control over it so as a precautionary measure had to notify everyone that they had lost the data and that it may have been compromised. Disk encryption protects you against that scenario and stops you from having to do those notifications.

There are two different types of disk encryption, full disk encryption and partial disk or file encryption. I will talk about each of those. Full disk encryption protects the entire hard drive, and these technologies work in a number of different ways. But essentially they grant access to the hard drive at boot time. You provide your password to log into the computer and that password is then used to feed the decryption function so that when the operating system goes to access the hard drive, it gains access to the real contents of the drive, and the files stored on your computer. It is transparent to you. Once you log in to your computer, the hard drive becomes unlocked essentially. And the operating system has access to all of the data and it is able to show it to you when you need it. If your hard drive is not encrypted it is very easy for someone to simply take it, put it into another computer and read the contents without booting the operating system that is stored on the drive. They simply boot a different operating system, read the contents of the drive and are able to bypass the password controls, and all of the other security and protections that your operating system provides. When the disk is encrypted, this approach simply does not work and a thief that gains physical access to your computer, and then tries to remove the hard drive and insert it into another computer, won't be able to read the contents. Because they are all encrypted. Without access to the encryption key, which is protected by your operating system password, they are unable to gain access to the contents of the drive. So when a computer with full disk encryption is stolen, the organization can be confident that the contents of the computer have not been disclosed to a third party.

Now, just as we talked about early with the encryption having its limitations. It is very important that you remember here that full disk encryption protects you against theft. It is a very strong protection, it is that best that you can do to protect yourself against the loss of data due to theft of a physical device. But it does not protect you against anything else so if the computer gets a virus and the user goes and logs on, gaining access to the hard drive, that virus also gains access to the data on the hard drive, and that data could be lost that way. Or if the user simply leaves the computer powered on, logged in and unlocked on their desk, anybody can walk up to it and gain access to the data. Once it is unlocked it is unlocked, but if a thief steals a computer when it is turned off, they will not be able to gain access to the content of the drive.

I have also listed here a few common technologies for full disk encryption. Microsoft includes the BitLocker technology, which is now built into the Windows operating system, so it is available to you already. It can be managed through active directory. Then there are quite a few third party products. A couple that are very popular is a product called Safe Guard made by Adamac, and the PGP company is whole disk encryption product. They all provide different management capabilities and slightly different functionality. But the main goal is that they provide this full disk encryption that protects the entire hard drive. The alternative to full disk encryption is partial disk encryption. Partial disk encryption, as the name implies, protects portions of the file system. Unlike full disk encryption which simply encrypts everything, and then provides access to the user when the computer is booted and the user provides his or her password. Partial disk encryption protects only parts of the file system. The user or the system administrator can designate which folders and files are protected with encryption technology. And access to those files is granted when the files are requested. There are a large number of technologies available to provide partial disk encryption solutions. Microsoft, like they provide BitLocker for full disk encryption, also provides the Encrypting File System, EFS, which is available to users of Windows for use in providing partial disk encryption. You can designate, again, which files you would like to encrypt in EFS and the encryption is managed by Microsoft active directory and provides for things like password recovery; so if a user encrypts a file and then that user either won't provide or forgets his or her password, say they leave the organization, the administrators have a way to recover the password and gain access to the file without the user's intervention.

On the Macintosh side, there is a product called FileVault that is built into Mac OSX. That provides partial disk encryption. There are many, many third party products available that can be used to provide encryption. Some are very complex and provide advance technology like EFS and FileVault, others are quite simple and allow you to encrypt individual files. And as an example, most zip utilities, you probably remember zip as a file archiving software that lets you combine a whole bunch of files into a single file and compress it for transmission. Most zip programs actually provide encryption as well. It is built into the zip standard and some programs offer advanced encryption on top of the basic that is supported by the zip file standard. And allow you to encrypt a file and you can even use that to provide both data at rest and data in transit. Because if you use zip to create an encrypted file, now it is encrypted on your hard drive and that zip file, but you can also email, or send by any other means, that file and it is already encrypted. So the data that is in transit is also encrypted without providing any additional network security. You can get extra bang for your buck that way.

The second application of encryption technology that I would like to talk about is email encryption. And for obvious reasons, you would like to encrypt the content of a message. Thinking back to the goals, Alice and Bob want to encrypt the message so that they provide confidentiality and no one is able to read the email message. They want to be able to provide integrity to make sure that no one has been able to alter the email message. They want to be able to provide non-repudiation. To be sure that Bob, the recipient of the message can prove to a third party that the message he received was actually sent by the sender, Alice in our example. Secure/MIME is the most popular standard for email encryption. Many people use it but do not know it by that name. Because Secure/MIME, S/MIME is the encryption technology that is built into many modern email systems, including Microsoft Outlook and Exchange. Digital Signatures is a technology that is used to provide that non-repudiation. Digital signatures, first of all, require the use of asymmetric cryptography. Where each user has their own key. So you can't use digital signatures with the symmetric cryptography. They just rely on the principal that I mentioned earlier, where anything you encrypt with one key, you decrypt with the other. So in basic encryption, where you want to provide confidentiality to a message as we described earlier. The sender of the message gets the recipients public key and uses it to encrypt the message, now everyone has access to the recipients public key. But the recipient is the only one that has access to the recipient's private key. When the sender encrypts the message with the recipient's public key, the only person that can decrypt it, is someone that has the recipient's private key, and the only one who has that private key is the recipient.

With digital signatures we flip that process a little bit and the sender of a message that wants to be able to provide a digital signature so others know guaranteed that this message came from that sender, takes the message, generates a digest of the message and then encrypts the message digest with his or her own private key. So they are creating an encrypted signature that the sender is the only person who could possibly create it. Because they are the only ones that have access to the sender's private key. Then the recipient of the message, or anyone else for that matter, can verify that signature by taking the digital signature that was encrypted with the sender's private key, and then decrypting the signature using the sender's public key, which everyone has access to. Then the person who is verifying the message creates their own message digest, using the same algorithm the sender used. And compares the message digest created with that algorithm to the decrypted digital signature, if they match, they know that the sender sent the message and the goal of non-repudiation has been met, and they have done it in a way that can be duplicated and proven to someone else. That is how digital signatures add non-repudiation to email encryption.

Here is a quick example of encrypting email and how you can use encryption with email. You do have to do a little bit of set up in terms of providing encryption keys and digital signatures, and that is beyond the scope of our discussion here, but there is great documentation available on line and you can see examples of that at SearchSecurity.com. If you look at Microsoft Outlook as an example, you can see a couple of screen shots here, of the ribbon that appears at the top of an email message. Once you have it configured if you want to encrypt a message with Outlook, all you have to do is click that little blue envelope icon and that encrypts the message. If you want to add a digital signature you just have to click the envelope icon that has a little red seal indicating a signature and the message then gets a digital signature. So this technology has now gotten to the point where it is very simple for users to use. Once it is all set up for them, which an administrator can do, they just have to remember to click one of those two buttons when they would like to add confidentiality through encryption and/or a digital signature to the message.

Digital certificates are an important part of all of this. As I mentioned earlier they are used to add authentication to encryption. And they are a prerequisite to what we are about to discuss in the next application of cryptography over the web. What digital certificates do is they use asymmetric cryptography to facilitate the pure exchange of public keys. So, if I need to give my public key to you, there are not many ways that I can do that, without using digital certificates. If I email it to you, you will get it, but how do you know that it actually came from me and not Mal, in our example back using Alice, Bob and Mal, that Mal did not send you a public key and say, "Hey, this is Mike's public key," you accept that and now you communicate back and forth with Mal, but you think that you are communicating with me. Now I could write it down and send it to you or print it out and send it to you in the mail. But that is very difficult because these keys are very, very long.

So, the alternative is the use of digital certificates, which use principals of asymmetric cryptography to facilitate that exchange and they rely upon trusted third parties, certificate authorities, and these are names you recognize, companies like VeriSign, Go Daddy, and Entrust. There are many certificate authorities out there, that provide added trust to the transaction. And what they do is they take a person's public key, they verify that person's identity. Whether they do a driver's license check, credit check or they have all sorts of methods that they use to verify identity, and they vouch for them, the public key. They say, "This is a public key that I received from this person who proved to me who they were" and they sign it using their own private key, and then create a digital certificate for you. And that digital certificate can then be used to prove your identity to other people. This is commonly used for servers. When you are using secure web communications you put a digital certificate on your server that is generated by one of these trusted certificate authorities and then you can give users your public key and they can securely communicate with you and know that they are actually communicating with the organization that they think they are communicating with.

Now to a certificate authority, trust is essential. Their entire business is built on trust. If people do not trust a particular certificate authority, and believe that they are doing a good job creating those digital certificates and verifying the identities that they are vouching for, the business model falls apart for them, and their certificates become worthless. It is important that they preserve that trust. As I mentioned, digital certificates form the basis of encryption over the web, so when you add that extra 'S' to a URL to use encryption, you are using digital certificates to provide that secure web communication. With HTTPS, we are basically taking the standard HTTP protocol, the hypertext transfer protocol that is used to exchange information over the web. And we are enhancing it with a technology known as the secure socket slayer. You can see here the steps of that process.

First, when you type in a website, you go to https.yourbank.com, you are accessing that secure site with your web browser, and a lot of things happen behind the scenes. Your browser recognizes that it is trying to communicate with a secure site, and it asks the site for its digital certificate. The site sends that to your browser, and your browser has the technology built into it to automatically verify that certificate. It checks the certificate authorities signature, makes sure it is valid, makes sure the certificate has not been revoked. And then if any of those things have problems, it pops up a warning message that you can look at telling you what has gone wrong in the process. But if everything checks out okay, you do not notice a thing. The user just begins communicating with the site. What is happening then is that the browser, once it has verified that certificate, switches over to symmetric cryptography.

Remember, I mentioned earlier that we were going to talk about an example that combines asymmetric and symmetric cryptography. So digital certificates and the verification of them require asymmetric cryptography. Because you want to have non-repudiation and you want to be able to do this without having an exchanged secret key in advanced. Once the browser verifies the certificate, it wants to switch over to symmetric cryptography because it is much faster and it is able to do that with much less overhead, both for the user, the browser and the server. So the browser just randomly chooses a symmetric encryption key, a shared secret key, that will be used just for that session. And then it encrypts it using the public key from the server certificate that has already received and validated and it sends that encrypted symmetric key to the server. The server, when it receives that message, is able to decrypt it because the server has its own private key that nobody else has, it decrypts that message and has the symmetric key. So from that point forward all the communication between that client and the server for that session uses that shared secret symmetric encryption key. The next time they try to communicate, the whole process begins again and a new symmetric key is created. So it is a work-around, that lets you have the benefits of symmetric cryptography combined with the benefits of asymmetric cryptography.

The final application of cryptography that I would like to talk about is virtual private networks. Virtual private networks are technology that uses encryption to securely tunnel traffic over an unsecured network. There are two very common applications of this. Virtual private networks are very often used by remote workers. So if you are working from home, coffee shop, airport, hotel or where ever you happen to be, you can use virtual private networks to securely connect back to your office network and your organization just simply has to run a virtual private network, VPN, server, that you can connect to. And even though you are communicating over the internet, all of the communication between your computer and that VPN server are encrypted. So anybody who happens to eavesdrop upon your communications, whether they are sitting next to you in the coffee shop or they are somewhere on the internet in-between the two places, is not able to understand anything that is going on, it is still encrypted to provide that confidentiality. Once the traffic reaches the VPN server it is automatically decrypted and then put on to the company network. So to the end user it is just as if they were on the company network. It might be a little bit slower because they are not physically there, but encryption provides that link over the internet so you can securely communicate and have a secure presence on your company network.

The second use of virtual private networks is to link sites. So an organization that has multiple offices, for example, can use virtual private networks to set up site to site links, so that it appears to each of the users at each of the sites as if everyone else on the network, even if they are at remote sites, is all on the same network, and they can access the same resources. So virtual private networks provide a very important means of communicating securely between users who are either located at remote sites or are who are in different offices in the same organization. In summary, encryption provides a powerful technology, that is used to protect the data from eavesdropping while it is in transit, or from theft while it is at rest. It is important to remember that those are the only two things that encryption is used for, the only protection that it provides. Remember our goals. Encryption can be used for confidentiality, integrity, non-repudiation and authentication. It does not protect against viruses, insiders and all of the other risks that we need other security technologies to protect against. The selection of an encryption algorithm and encryption applications is critical. When you are selecting an algorithm, pick one that is commonly accepted in the security community, and has been tested and vetted by cryptographers and mathematicians for its security. You also have to choose a key and keep it secure.

Thank you for watching this presentation. For more information visit SearchSecurity.com. Have a great day.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

must consider all the ways the data can be input and output, as well as how it’s stored. Hackers increasingly favor client-side attacks. They’ll get a trusted employee to unknowingly install a Trojan or key logger, which they then use to access the data. Certain malware can also gain access to data as it traverses the network. The data may be compromised while it is stored online or physically archived. An end-to-end strategy even must enforce protections for data sent to business partners and third parties